metamorpherrat | 6b9047ef8b63d813c70d08babf683b2fd56197dc0c544f1782bb51f53423c374

General

Target

6b9047ef8b63d813c70d08babf683b2fd56197dc0c544f1782bb51f53423c374.exe
Size

78KB
MD5

5035de61a0f808de5e03d37b266c6beb
SHA1

f265a2271892904229287ed7b62c974a2a20bb0e
SHA256

6b9047ef8b63d813c70d08babf683b2fd56197dc0c544f1782bb51f53423c374
SHA512

c1803625cbce1da19375d43ba87b7e5afec2d008222725e16d28b0ace601c06b0d8abd6b09ff24c03fb9abe4d4e307eed9bcaae9a91bee2b356119cf78e41265
SSDEEP

1536:WPWtHY6JJteVdv5wyFppaVs+aYTCgtWzYXxxiMrBnP5oYZNQtC9/s1Eu:WPWtHYO3e/vqyA11XYUBxprBPjcC9/C

Score

10^/10

metamorpherrat discovery persistence rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Executes dropped EXE 1 IoCs

pid	Process
2676	tmpD75B.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2412	6b9047ef8b63d813c70d08babf683b2fd56197dc0c544f1782bb51f53423c374.exe
2412	6b9047ef8b63d813c70d08babf683b2fd56197dc0c544f1782bb51f53423c374.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System.Management = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sbscmp20_mscorlib.exe\""	tmpD75B.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6b9047ef8b63d813c70d08babf683b2fd56197dc0c544f1782bb51f53423c374.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD75B.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2412	6b9047ef8b63d813c70d08babf683b2fd56197dc0c544f1782bb51f53423c374.exe
Token: SeDebugPrivilege	2676	tmpD75B.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 2176	2412	6b9047ef8b63d813c70d08babf683b2fd56197dc0c544f1782bb51f53423c374.exe	31
PID 2412 wrote to memory of 2176	2412	6b9047ef8b63d813c70d08babf683b2fd56197dc0c544f1782bb51f53423c374.exe	31
PID 2412 wrote to memory of 2176	2412	6b9047ef8b63d813c70d08babf683b2fd56197dc0c544f1782bb51f53423c374.exe	31
PID 2412 wrote to memory of 2176	2412	6b9047ef8b63d813c70d08babf683b2fd56197dc0c544f1782bb51f53423c374.exe	31
PID 2176 wrote to memory of 2060	2176	vbc.exe	33
PID 2176 wrote to memory of 2060	2176	vbc.exe	33
PID 2176 wrote to memory of 2060	2176	vbc.exe	33
PID 2176 wrote to memory of 2060	2176	vbc.exe	33
PID 2412 wrote to memory of 2676	2412	6b9047ef8b63d813c70d08babf683b2fd56197dc0c544f1782bb51f53423c374.exe	34
PID 2412 wrote to memory of 2676	2412	6b9047ef8b63d813c70d08babf683b2fd56197dc0c544f1782bb51f53423c374.exe	34
PID 2412 wrote to memory of 2676	2412	6b9047ef8b63d813c70d08babf683b2fd56197dc0c544f1782bb51f53423c374.exe	34
PID 2412 wrote to memory of 2676	2412	6b9047ef8b63d813c70d08babf683b2fd56197dc0c544f1782bb51f53423c374.exe	34

C:\Users\Admin\AppData\Local\Temp\6b9047ef8b63d813c70d08babf683b2fd56197dc0c544f1782bb51f53423c374.exe
"C:\Users\Admin\AppData\Local\Temp\6b9047ef8b63d813c70d08babf683b2fd56197dc0c544f1782bb51f53423c374.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\l8tpha_b.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD856.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD855.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2060
- C:\Users\Admin\AppData\Local\Temp\tmpD75B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpD75B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6b9047ef8b63d813c70d08babf683b2fd56197dc0c544f1782bb51f53423c374.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD856.tmp

Filesize
1KB

MD5
3496f264b1fd7cf27b4f3f225e61137a

SHA1
d4d7081a2098b3e22321d081350f7c711c451eff

SHA256
371608972cb7537b8fb2ca7e7e446affbc3884fccb579c8b31fac0499b7c5732

SHA512
b744562c18b8aceef12deeb0558f883fd7a8805c8fc15543ba534bf6ee20c9ca03a23b627701ce7100be296dab9330958bfbd0e44447d373f54b1ff2137b93d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\l8tpha_b.0.vb

Filesize
15KB

MD5
bbf712bb21da2c66b2bc938e39be8503

SHA1
0739758f7d253082d3dca73b8b28794bee2f0fcd

SHA256
19d0533909dadde4e8d1089372c514b4e1dc5745e3ffc2ebe3ccb432c7e377d0

SHA512
1948e5eb3186e73b0ce4c990336e569b9042f2aa588a1187593dc79ddf62284e6a1434bc4d4beed7f895926bd39d23874b3f4b314b3a0a95c3177124764a63b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\l8tpha_b.cmdline

Filesize
266B

MD5
0c61d634a9c6c04d5e543479f423feb5

SHA1
60bb122a7eccaaf4ff47aaf1cbcac44e9f74dd3a

SHA256
dc40303a43020702519a8fcfc07a7a902538820f59617bc9daf33256357f74d0

SHA512
8363b4e713e72dedc21d3aecc2b8a38d2429d418e232e4ac22b22c99dcf0badab0ff0a149f3e8841ecdeed8e4b4e1c1966558a1d086162387fc69225eb99e444

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD75B.tmp.exe

Filesize
78KB

MD5
5b49a8d6d37b23137dff6e195b262a19

SHA1
aa978d0dd7d283e5b8ee05157b469a4adc21053f

SHA256
37a5267abb07be0371b1b4a7ff9d32358de27bf004034fec7495d3a158cd264b

SHA512
31cab1c045afd1b087c97b30b5f08a42e9306b68b390201d70f07eb8340a3b0320254a5775463844a4dd8e0a80b0a90ed5fbe77f7879b2c23252905ba2f1f9e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD855.tmp

Filesize
660B

MD5
15c438ead8cda5da6787443ddfb58f43

SHA1
55a5efbeea5da8a820c8b5bb45a7581671a16bde

SHA256
f97628d3697a9e79a792253ef62d0c595732a3aca81e94aaeef03ef23de3274b

SHA512
34b805ba6c498170dfd7ce4fce4b5624059b442b79a1825993b3f6ef32f31ca5bdf8cfe5fa3e5ba2c3972507d779a235761414c791d0e419bc0ba3f99b754105

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8481b7e4924c14743ffc0d34075e2ce3

SHA1
e8e7ef480499ba85190b8d5f8e43f761850b0ef3

SHA256
6110931ed1cb1b1a141d4a12044a062646f14be3566a286106e5f59ceaddc4ac

SHA512
3c4ee8221c5238aed57e4fdbcd74833edcf46d5ed602840b5265438538405b4378a1966e9cd0c34a5ce52d0afe7bd7e0d9aac6b420e515fe1ea52477f957a7e1

Download Submit
memory/2176-8-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/2176-18-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/2412-0-0x0000000074611000-0x0000000074612000-memory.dmp

Filesize
4KB

Download
memory/2412-1-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/2412-2-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/2412-24-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads